yom's web log

lundi 17 octobre 2016

Earlier this year, I decided not to throw as much money in some dedicated online server (dedicated racked server) from Online.net. Not that the service would have been horrible, but with my current budget I could not offer myself such a high level service anymore.

So and since I had already tested DO (DigitalOcean) VPS (Droplets), I had migrated my mail server there. It was a simple 40GB / 2GB / 2CPU VPS with ZFS installed until recently, so with just one disk.

I've just taken some time to read about the new "volume" functionality they offer, and read it's possible to add some DO Volume to ZFS with ease. So I created a new 40GB volume, and attached it to my droplet. FreeBSD discovered the disk instantly (transfer rate seems insane to me):

jeudi 10 mai 2012

Some are simple, maybe too much..., and some look complete, but too much complex and/or the code doesn't suit my requirements, or the licence used is clearly not one I'd like to use also.

So I've decided to develop my own, a simple CGI C library, which try to be :

Simple : There's the minimum method to use it. Most methods name are quiet easily understandable and they do no more no less what they should do.

Headers try to be delegated, which means a header should be responsible for its life cycle and how it gets into the Headers List. There is also the minimum for the 2 already developed headers inside this library, and one who would want to create a new header can check these two as an example to develop a new one.

Right now, there is no version number for this library, it's clearly oriented to be build and used on FreeBSD since I'm using FreeBSD Makefiles. I'm also using Tail Queue#include <sys/queue.h>, but I guess this is also on Linux ... I didn't try it though, I do not intend to maintain a version for Linux since that's clearly not my primary goal. My primary goal is to deliver a really simple C library.

I'm using 3-clause BSD Licence, since I really prefer this licence, and also it's the one used in FreeBSD.

I know most people are now using "New Languages" or "Frameworks", but I clearly prefer to use C. Hope some will like the library :)

jeudi 5 avril 2012

Most Engineering People know that a mail service is running at least two types of services :

SMTP, through which you can send mails

And one or more services from which you can retrieve mails you received

POP3, which enables you to retrieve your mail locally. There's no inside mailboxes, everything is in one place and you can't store mail from other mailboxes

IMAP, which enables you to read your mail locally but stores them on the server. Depending on imap service, you can create mailboxes (sub-folders) and store whatever mails you want inside it.

So POP3 is more simple than IMAP, but IMAP is really better if you don't want your mails to be stored locally, or not to lose your mails history if you install a new computer and don't want to migrate manually all your mails.

Not every company can afford to install IMAP service, and in most case a company considers you should only access your mails from work, they are related to work, you don't need to read them from outside etc etc.

Well, here is not the case, we first want to get out of Google Mail, even if we know we'll lose some features. We'll see here how to :

I had first installed dovecot 1, and configured it. It was working, but since the version 2 is out, I upgraded my configuration file. Also keep in mind that we're going to use SSL to connect to imap service, so don't bother much about the plain login authentication mechanisms.

To install dovecot2 on FreeBSD :

# cd /usr/ports/mail/dovecot2

# make config

We only need these two :

[*] KQUEUE kqueue(2) support

[*] SSL SSL support

Start the install :

# setenv BATCH 1

# make install clean

# unsetenv BATCH

Once it's installed, you need to configure dovecot. First I list here files :

# ll /usr/local/etc/dovecot

total 58

-r--r--r-- 1 root wheel 122 Mar 4 12:36 README

drwxr-xr-x 2 root wheel 512 Mar 6 22:35 conf.d

-r--r--r-- 1 root wheel 52331 Mar 4 12:32 dovecot-1.conf

-r--r--r-- 1 root wheel 1125 Apr 4 09:27 dovecot.conf

# ll /usr/local/etc/dovecot/conf.d

total 4

-r--r--r-- 1 root wheel 2461 Apr 4 09:29 20-managesieve.conf

Since we want to request IMAP with SSL, we need to create a key and and certificate.

Let's decide we put our key and certificate in a folder : /usr/local/certs/dovecot

We're using an openssl .cnf file to help us create informations, and a script which will set environment to help us create the files.

mercredi 4 avril 2012

In my first post, I talked about how to configure a server with Sendmail, to make it use SMTP Authentication, and to make it use certificate to connect to your server via SSL : Secured Sendmail with SMTP Authentication

The next step is to tell everyone that mails from your domain can only be sent from your mail server. There are a few ways to do this.
And at last we also would want spams to be detected.

When I first search about how to install DKIM, there were only a few message telling that dkim-filter would soon be obsolete, and so that one should use OpenDKIM instead. I can see now that there are posts about this and this one can summarize nicely how to use it even though it's about postfix :

Once you're editing your configuration file, you can use these options, they are mostly secure. Either uncomment or just replace the whole file if you don't care (anyway, you still have the sample file) :

Domainhost.com

KeyFile/var/db/dkim/dkim.key.pem

MTAMSA

Selectordkim

Canonicalizationrelaxed/simple

UserIDmailnull

ReportAddress"DKIM Error Postmaster" <postmaster@host.com>

Socketlocal:/var/run/milteropendkim/dkim-filter

SyslogYes

Then you have to create the key file to sign your mail headers :

# mkdir -p /var/db/dkim

# cd /var/db/dkim

# openssl genrsa -out rsa.private

# openssl rsa -in rsa.private -out rsa.public -pubout PEM

# mv rsa.private dkim.key.pem

# chmod 600 dkim.key.pem

Again, we want everyone to know that we are using DKIM. So we're going to add an other TXT record in the DNS zone list for host.com, and we are using the rsa.public file without the ----BEGIN PUBLIC KEY----- and the -----END PUBLIC KEY-----, and also each lines should be concatenated to one single line :

I'm not sure exactly why but when I think about spams, I'm thinking about "nice" words ... Anyways, from the first day I've used mails and tried to find informations about mail servers, I've always heard / read about SpamAssassin.

So let's install SpamAssassin, the service :

# cd /usr/ports/mail/p5-Mail-SpamAssassin

# make config

These are the options preferably checked :

[*] AS_ROOT Run spamd as root (recommended)

[*] SPAMC Build spamd/spamc (not for amavisd)

[*] DKIM DKIM/DomainKeys Identified Mail

[*] SSL Build with SSL support for spamd/spamc

[*] GNUPG Install GnuPG (for sa-update)

[*] RAZOR Add Vipul's Razor support

[*] SPF_QUERY Add SPF query support

Then (with /bin/csh) :

# setenv BATCH 1

# make install clean

# unsetenv BATCH

Once installed :

# cd /usr/local/etc/mail/spamassassin

# cp local.cf.sample local.cf

It's probably not needed, but you could edit your local.cf file to change things suiting your needs, but basically it's already nice as it is. We'll set the rest in /etc/rc.conf adding :

To explain : we add the milter and we define some macro for SpamAssassin to work with encryption. Then we tell sendmail to delay the e-mails checks on DNS Black Lists. Then ZEN list is a mix of the different types of lists at SpamHaus, and the two others are well know blacklists. It seems just the three of them is detecting spams nicely.

The most important to understand here is the spamass_milter_localflags, where we tell the milter to ignore "-i" messages if the originating IP is in the parameter list, here defined to "127.0.0.1,111.222.0.111". You can always add IP Addresses here and restart the milter.

Let's start it :

# /usr/local/etc/rc.d/spamass-milter start

Then let's sendmail know about our changes and restart it :

# cd /etc/mail

# make all install restart

Sendmail should be running. You can check for errors inside /var/log/maillog

An option package you could install, I didn't search for advanced configuration, it's to use ClamAV to check your mails for viruses. If you think you can trust what's in your mails, you're not force to install it, but here is how I'd do (again with /bin/csh):

mardi 3 avril 2012

This was my first step when I decided that I wanted my own mail server.

I'm using FreeBSD for now more than 2 years, and clearly : I'm very happy about it. The OS itself is KISS!. Exactly no less no more.

I know there are a few mail servers out there, but since FreeBSD is shipped (for free) with sendmail, then I decided I'll use nothing but sendmail. It's in the base, it's working, and there are blog posts that are talking about it.

You can read it in the title of this post : I want a secure (through certificate) mail server, and I want people using this server to authenticate themselves. There are reasons for those choices :

Through Certificate : things would be encrypted with SSL. I don't want mails and authentications to appear clearly on any network, even if the network I'm on is said to be "Secure".

SMTP Authentication : People that want to use my mail server shall have an account on my server. They have to authenticate to send mails. This is meaning I don't want spammers to be able to send spams through my server and this is one step forward it

This step is really simple since everything is explained on the FreeBSD documentation :

Since we didn't talk about the configuration of sendmail, you can follow from step 1 to 5

When you're done with these steps, we can start to configure Sendmail.

Where to start :

# cd /etc/mail

Now we're there, there are a few files like freebsd.mc, freebsd.cf, freebsd.submit.mc, freebsd.submit.cf.

The .cf ones are complex, but no worries since they are created based on .mc ones.

Let's consider you want to dedicate your server just for mailing services, and that it's called mail.host.com which means your /etc/rc.conf contains :

hostname="mail.host.com"

You first need to create .mc and .cf for your server.

# cd /etc/mail

# make cf

This will create :

mail.host.com.mc

this is where most of the configuration will be done

mail.host.com.submit.mc

I don't remember I've ever touched this file, but you can have a look at it since it still can be self-instructive

mail.host.com.cf

generated from your mail.host.com.mc

mail.host.com.submit.cf

generated from your mail.host.com.submit.mc

So from 4 files, we can see there's only one we will configure.

Let's say you've created you host "mail.host.com" because you want to have your e-mails in the host.com domain, meaning you want e-mail with @host.com.You've got to add to /etc/mail/local-host-names "host.com" so that this command will state your domain name :

# cat /etc/mail/local-host-names

host.com

#

From here, you could type "make all install restart" and your server would work. But we're not there yet, since we still have to configure our mail.host.com.mc with the step 6 of SMTP Authentication with Sendmail and SASL2.

We are sure that our users will be trusted ones, since they will be authenticated, so it's a step forward security. You can also check sendmail(8).
As for the privacy flags, I think it's better to let other mail servers to check if your user e-mail exists, but you could also put "novrfy" in place of "needvrfyhelo".

"If all has gone correctly, you should be able to enter your login information into the mail client and send a test message. For further investigation, set the LogLevel of sendmail to 13 and watch /var/log/maillog for any errors."

Now you should be able to create users on your server and to be able to authenticate to receive and send mails.

vendredi 30 mars 2012

Since Google offers Mail and Talk services, I've been a fervent user of those services. I also moved a domain I own to Google Apps and I was very fine with that for some time. Google offers privacy and all sort of things which are very nice, and for standard user it's really all that there is as a need for online mailing service and talking service.

Of course, there are many other providers and they also do a great job about their services.

I'm probably not the only one to think that I don't like my mails and talks to depend from third party services. Since I've got some knowledge about mail server and instant messaging server, I've decided to get myself out of those third party mail providers. I know perfectly it's not something I can do instantly, and also that I'll have to take some time to make it complete and working.

Most people want something they can rely on without having to do anything (configuration, administration, security, privacy). That's very nice for some cases, but for mine it's not anymore. I need to know what's going on for my mails, I need to be sure no one will ever be able to check my mails, even not on purpose or for any commercial use, and I know that I'm best placed to check my own security for my mails. I also need to be sure that e-mail addresses from the domain I own won't be used for spams, and I can tell you that when a mail server is configured for relaying, it's more than harassment that your server would receive.

In a near future, when I'll think my mail server configuration is good enough to share, I'll write a serie of posts about how to install a mail server and add some security. So, stay tuned.

UPDATED :

I really want to thank FreeBSD for giving us such an exceptional OS with great tools and services.